How can we be at cyberwar if we don't know what it is?

It is time for a public debate on whether and how to wage war in cyber space

By William Jackson

Mar 22, 2010

A chorus of alarmists is raising the specter of cyberwarfare and urging the militarization of the Internet to ensure our national security against online attacks.

“The United States is fighting a cyberwar today and we are losing it,” former National Security Agency chief and national intelligence director Mike McConnell wrote in a recent op-ed column in the Washington Post. “It’s that simple.”

It is neither simple nor true. Failure to distinguish between real acts of war and other malicious behavior not only increases the risks of war, but also distracts us from more immediate threats such as online crime. Before we plunge into a Cold War-style arms race with perceived online enemies, we should engage in a public dialog and decide exactly what cyberwar is, who should fight it and how to do it.

Words have consequences. War entails specific risks and responsibilities and should not be entered into lightly. The Constitution lays out requirements for engaging in war, and the United States is a signatory to treaties that impose legal restrictions on conducting warfare, such as distinguishing between combatants and non-combatants and military and non-military targets. And once a nation engages in an act of war, it invites retaliation, regardless of its motives.

As of now, we have no workable definition of what constitutes cyberwar, and more often than not we lack the ability to accurately distinguish it from act of online vandalism.

Recent comments by White House Cybersecurity Coordinator Howard Schmidt in a Wired magazine interview were a breath of fresh air. “There is no cyberwar,” Schmidt said. “I think that is a terrible metaphor and I think that is a terrible concept.”

What the United States and the rest of the world deal with on a daily basis in cyberspace typically are crime and espionage. These are bad things, but they are not warfare. James Lewis, who helped lead the Center for Strategic and International Studies’ study on cybersecurity for the 44th presidency, recently called cyberwar a “loaded term.”

“No one has yet entered into cyberwarfare,” Lewis said. Warfare consists of more than vandalism, inconvenience or even theft, he said. “As you move toward damage and casualties, then you cross the threshold.”

None of these reservations means that the threat of actual cyberwar does not exist. The United States and a number of other countries are actively pursuing the capability to wage cyberwar as well as defend against it. “They have done the reconnaissance, they have done the planning and developed the tools,” Lewis said.

A good way to prevent the use of these tools is to have a clear understanding of the rules under which they are to be used and the consequences for using them. To date we have not done a very good job of this. Former presidential advisor Richard A. Clarke, in his forthcoming book, “Cyber War,” likens the situation to the nuclear proliferation of the 1950s.

“In the first decade of the twenty-first century, the U.S. developed and systematically deployed a new type of weapon, based on our new technologies, and we did so without a thoughtful strategy,” he writes. “We created a new military command to conduct a new kind of high-tech war, without public debate, media discussion, serious congressional oversight, academic analysis, or international dialogue.”

Not only would such a dialogue help to define the conditions and rules for cyberwar, but they would free us to better deal with the very real threat of cybercrime. If we are not able to see cybercrime for what it really is, we will not be able to effectively deal with it. If the so-called war on drugs has taught us anything, it is that declaring war against a criminal activity is likely to fail.

The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

Reader comments

Fri, Apr 9, 2010

Cyber warfare has already occured, back in the 40's. We didn't have the internet as it exists today but we did have a world-wide network, web if you will, of telphone, telegraph, and most important, radio, that comprised the 1940 WWW. It's the same thing it just used cutting edge tech of the day. When you target the perception of an enemy in an effort to prevent them from knowing the truth or warp their concept of reality, or when your computer reaches out to the bad guys computer and changes data that affects his descision making capability, that is cyber warfare. What about all the manipulaiton of information and perception management that occured during the conflict in Kosovo, Serbia? Anybody remember the headless baby tht was used hundreds of times to show how barbaric the US was? That is Cyber warfare my friends and Lewis needs to take off his coldwar blinders. He still lives in the SAC-B-52, missile in a hole targeting mentality. I once went toe-to-toe with an Air Force General with a pocket-rocket who told me I knew nothing about targeting and that targeting could not be done using a computer to attack another computer and not considered warfare. He told me "I used to put coordinates in a missile computer aimed at the bad guys, that, Sergeant, is Targeting!". I rest my case.

Wed, Mar 24, 2010
Rich

It makes no difference if attackers are causing vandalism, theft (of funds or secrets), or causing catastrophic failure - it's criminal and needs to be stopped. If it is another government it's war. We need proactive IT strategy now to stop this through defensive and offensive capability that actually works. The US Government should be hiring the best of the best to do this, right now.

Tue, Mar 23, 2010

Lewis contradicts himself with these statements from his article. (“No one has yet entered into cyberwarfare,” Lewis said. Warfare consists of more than vandalism, inconvenience or even theft, he said. “As you move toward damage and casualties, then you cross the threshold.”) The problem is that "vandalism, inconvenience or even theft" is "damage". A lot of business and organizations are "casualties" of the damage done due to these cyber attacks. The problem with people like Lewis is that they are usually in a position that they never have to really suffer from "vandalism, inconvenience or even theft" because all those costs were passed on to someone else. That additude is prevelant in this administration which only has 8% of its appointees having private sector experience. (The norm is typically in the 40 to 55% range.) They have never had to take much responsibility or suffer the consequences of the real world - so it is easy for them to say we are not in a cyber war.

Tue, Mar 23, 2010

And while we are "defining" we get our butts handed to us on a plate. I think I'll go with the real expert on this . . .namely Mr. McConnell

Tue, Mar 23, 2010
Anton
Washington, DC

A tremendous critique of sexy new buzz words. I would love to hear your opinions on "Transparency in government". I sometimes feel like I want to scream everytime I see the phrase in an article. I have read several definitions and they don't satisfy me. I, for one, don't want my government to be "transparent". I want it to be solid, relevant, truthful, accountable. I want to know that what my government is telling me is the verifiable truth.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.